Enabling PAM authentication
When your Linux® management hosts use either Microsoft Active Directory (AD) or MIT Kerberos as the KDC, enable PAM authentication so that users can log on with their PAM user name and password.
Before you begin
The PAM environment must be set up properly on all your management hosts. To take advantage of user management, the getent passwd and getent group commands must list users and user groups that are to be loaded to the cluster without a domain name included in the user name or group name.
About this task
To enable PAM authentication in the cluster, you must configure the ENABLE_PAM_AUTH and PAM_SERVICE parameters in the sec_ego_gsskrb.conf file on all management hosts. To enable user logons with the PAM user name and password from Linux compute or client hosts, enable the ENABLE_PAM_AUTH parameter in the sec_ego_gsskrb.conf on the host.
With PAM authentication enabled, a PAM credential cache (instead of a Kerberos credential cache) is generated at the location set by the EGOCC_FILE environment variable. After a user logs on with the PAM user name and password, an EGO credential for PAM is generated; this credential is also used for subsequent logons. If the authentication client (for example, the egosh user logon or the soamlogon command) needs the EGO credential to be saved to a credential cache, it is saved to the cache set by EGOCC_FILE, if it exists. Otherwise, it is saved to the default credential cache (/tmp/secegocc_uid).
A single authentication client might have two credential caches: a Kerberos credential cache and an EGO credential cache. The Kerberos credential cache is used before the EGO credential cache; in other words, Kerberos authentication is used as long as the Kerberos credential cache exists. Credentials are used in the following order of precedence: KRB5CCNAME > /tmp/krb5cc_uid > EGOCC_FILE > /tmp/secegocc_uid.
If the selected credential is not valid, authentication fails and does not progress to the next credential even if it exists.
VEMKD
processes. An
example is the pam_krb5
module, which will fork multiple children during
authentication. For a VEMKD
process with a lot of memory, the forking operation is
more time-consuming and can affect performance.